Moderate
CVE-2019-13990
CVE-2019-13990
Description
initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.
Add Assessment
Technical Analysis
In Atlassian’s October Security Bulletin, this vulnerability was one of the highlighted ones.
In certain versions of Jira Service Management Server & Data Center, a vulnerability denoted as CVE-2019-13990 was identified. These affected versions contained vulnerable iterations of Terracotta Quartz Scheduler, which could be exploited by authenticated attackers to launch an XML External Entity (XXE) injection attack via job descriptions.
Atlassian has pledged to issue critical advisories in accordance with the National Vulnerability Database (NVD) vulnerability score. In this instance, the Common Vulnerability Scoring System (CVSS) score for this third-party CVE is critical (9.8). Nevertheless, this score does not always consider the specific context in which the vulnerable component is employed in our software. In this case, unauthenticated attackers who lack local access to the system cannot exploit this vulnerability. Therefore, our internal evaluation of this vulnerability designates it as having a high severity rating.
Affected Versions:
This XXE (XML External Entity Injection) vulnerability impacts all versions, including and after 4.20.0, of Jira Service Management Data Center and Server. Versions outside of the support window could potentially be affected, so Atlassian strongly recommends upgrading to the fixed LTS version or a later release.
CVSS V3 Severity and Metrics
General Information
Vendors
- apache,
- atlassian,
- netapp,
- oracle,
- softwareag
Products
- active iq unified manager -,
- apache batik mapviewer 12.2.0.1,
- apache batik mapviewer 18c,
- apache batik mapviewer 19c,
- banking enterprise originations 2.7.0,
- banking enterprise originations 2.8.0,
- banking enterprise product manufacturing 2.7.0,
- banking enterprise product manufacturing 2.8.0,
- banking payments,
- cloud secure agent -,
- communications ip service activator 7.3.0,
- communications ip service activator 7.4.0,
- communications session route manager,
- customer management and segmentation foundation 18.0,
- documaker,
- enterprise manager base platform 13.2.1.0,
- enterprise manager ops center 12.4.0.0,
- flexcube investor servicing 12.1.0,
- flexcube investor servicing 12.3.0,
- flexcube investor servicing 12.4.0,
- flexcube investor servicing 14.1.0,
- flexcube investor servicing 14.4.0,
- flexcube private banking 12.0.0,
- flexcube private banking 12.1.0,
- fusion middleware mapviewer 12.2.1.3.0,
- google guava mapviewer 12.2.0.1,
- google guava mapviewer 18c,
- google guava mapviewer 19c,
- hyperion infrastructure technology 11.1.2.4,
- jd edwards enterpriseone orchestrator,
- jira service management 4.20.0,
- jira service management 4.20.1,
- jira service management 4.20.10,
- jira service management 4.20.11,
- jira service management 4.20.12,
- jira service management 4.20.13,
- jira service management 4.20.14,
- jira service management 4.20.15,
- jira service management 4.20.16,
- jira service management 4.20.17,
- jira service management 4.20.18,
- jira service management 4.20.19,
- jira service management 4.20.2,
- jira service management 4.20.20,
- jira service management 4.20.21,
- jira service management 4.20.22,
- jira service management 4.20.23,
- jira service management 4.20.24,
- jira service management 4.20.25,
- jira service management 4.20.3,
- jira service management 4.20.4,
- jira service management 4.20.5,
- jira service management 4.20.6,
- jira service management 4.20.7,
- jira service management 4.20.8,
- jira service management 4.20.9,
- jira service management 4.21.0,
- jira service management 4.21.1,
- jira service management 4.22.0,
- jira service management 4.22.1,
- jira service management 4.22.2,
- jira service management 4.22.3,
- jira service management 4.22.4,
- jira service management 4.22.6,
- jira service management 5.0.0,
- jira service management 5.1.0,
- jira service management 5.1.1,
- jira service management 5.10.0,
- jira service management 5.2.0,
- jira service management 5.2.1,
- jira service management 5.3.0,
- jira service management 5.3.1,
- jira service management 5.3.2,
- jira service management 5.3.3,
- jira service management 5.4.0,
- jira service management 5.4.1,
- jira service management 5.4.2,
- jira service management 5.4.3,
- jira service management 5.4.4,
- jira service management 5.4.5,
- jira service management 5.4.6,
- jira service management 5.4.7,
- jira service management 5.4.8,
- jira service management 5.4.9,
- jira service management 5.5.1,
- jira service management 5.6.0,
- jira service management 5.7.0,
- jira service management 5.7.1,
- jira service management 5.8.0,
- jira service management 5.8.1,
- jira service management 5.9.0,
- primavera unifier,
- primavera unifier 16.1,
- primavera unifier 16.2,
- primavera unifier 18.8,
- quartz,
- retail back office 14.1,
- retail central office 14.1,
- retail integration bus 15.0,
- retail integration bus 16.0,
- retail order broker 15.0,
- retail order broker 16.0,
- retail order broker 18.0,
- retail order broker 19.0,
- retail point-of-service 14.1,
- retail returns management 14.1,
- retail xstore point of service 15.0,
- retail xstore point of service 16.0,
- retail xstore point of service 17.0,
- retail xstore point of service 18.0,
- retail xstore point of service 19.0,
- terracotta quartz scheduler mapviewer 12.2.0.1,
- terracotta quartz scheduler mapviewer 18c,
- terracotta quartz scheduler mapviewer 19c,
- tomee 7.1.3,
- webcenter sites 12.2.1.3.0,
- webcenter sites 12.2.1.4.0
References
Advisory
Miscellaneous
